Public Suffix List CAA issue(s)

mil.rw can be struck from the “down for A/CAA/NS” list. Today it works.

Nothing else appears to have improved.

mil.rw

Thanks for the update! If you want to run those tests in cron, it would be useful. I suspect that .sr also has good days and bad days, since it must have succeeded when I ran the scan that generated the exception list.

One hypothesis we’ve been kicking around is that some networks have DDoS scrubbing appliances that are enabled only some of the time, and those appliances misidentify and drop the CAA queries.

In a new category, one public suffix is sort of broken. (It was probably broken in the same way the first time i looked, but i dismissed it as an “random temporary issue” false positive.)

ba.gov.br

2/4 of the zone’s nameservers do not respond to CAA queries,

Worse, only those two are listed in the delegation.

Depending on the DNS implementation, it may always fail (Google Public DNS), always succeed (QNAME minimisation, probably), or sometimes both (Unbound).

$ digr ba.gov.br @b.dns.br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse ba.gov.br @b.dns.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39954
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ba.gov.br.                     IN      A

;; AUTHORITY SECTION:
ba.gov.br.              86400   IN      NS      cpu0034.ba.gov.br.
ba.gov.br.              86400   IN      NS      cpu0020.prodeb.gov.br.

;; ADDITIONAL SECTION:
cpu0020.prodeb.gov.br.  86400   IN      A       200.187.60.85
cpu0034.ba.gov.br.      86400   IN      A       200.187.60.34

;; Query time: 112 msec
;; SERVER: 200.189.41.10#53(200.189.41.10)
;; WHEN: Fri Aug 11 07:36:52 UTC 2017
;; MSG SIZE  rcvd: 121

$ dig ba.gov.br ns

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ba.gov.br ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7142
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ba.gov.br.                     IN      NS

;; ANSWER SECTION:
ba.gov.br.              300     IN      NS      ns2.pop-ba.rnp.br.
ba.gov.br.              300     IN      NS      cpu0020.prodeb.gov.br.
ba.gov.br.              300     IN      NS      cpu0034.ba.gov.br.
ba.gov.br.              300     IN      NS      ns1.pop-ba.rnp.br.

;; ADDITIONAL SECTION:
cpu0034.ba.gov.br.      300     IN      A       200.187.60.34

;; Query time: 247 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Aug 11 07:37:18 UTC 2017
;; MSG SIZE  rcvd: 152

According to version.bind, the bad nameservers are running “[secured]” and the good nameservers are running “[SECURED]”.

The public suffix has 274 unexpired Let’s Encrypt certificates, issued as recently as yesterday, and a similar number in the CT logs from other CAs.

None of them are on your SERVFAIL list, so perhaps it’s new, intermittent, regional, or the Let’s Encrypt resolvers always try all 4 nameservers.

https://crt.sh/?q=%ba.gov.br
https://www.google.com/transparencyreport/https/ct/?hl=en#domain=ba.gov.br&incl_exp=false&incl_sub=true

There’s a user on this forum was the one who finally succeeded in getting the Brazilian government subdomains on the PSL (which was a huge service to local government employees who wanted to use Let’s Encrypt). Maybe he can help.

But first, I just sent a note of my own in Portuguese to PRODEB asking if I can talk to someone who’s involved in running their DNS servers. :slight_smile:

Update:

ba.gov.br
gov.mr
mil.no
sr

ba.gov.br’s status has partly changed: They removed the two good nameservers from the authoritative NS records! So now it’s all broken instead of just mostly broken.

mil.no and sr have not started working.

gov.mr (government of Mauritania) seems to be a new problem. Not sure everything that’s wrong with the domain, and some of it comes and goes (though CAA never works), but mostly there are bad referrals.

http://dnsviz.net/d/gov.mr/dnssec/

$ dig +short gov.mr ns
dns.mauritania.mr.
ns.univ-nkc.mr.

$ digr gov.mr caa @dns.mauritania.mr

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse gov.mr caa @dns.mauritania.mr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1145
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;gov.mr.                                IN      CAA

;; AUTHORITY SECTION:
.                       3600    IN      NS      d.root-servers.net.
.                       3600    IN      NS      j.root-servers.net.
.                       3600    IN      NS      l.root-servers.net.
.                       3600    IN      NS      c.root-servers.net.
.                       3600    IN      NS      g.root-servers.net.
.                       3600    IN      NS      e.root-servers.net.   
.                       3600    IN      NS      m.root-servers.net.
.                       3600    IN      NS      f.root-servers.net.
.                       3600    IN      NS      h.root-servers.net.
.                       3600    IN      NS      k.root-servers.net.
.                       3600    IN      NS      b.root-servers.net.
.                       3600    IN      NS      i.root-servers.net.
.                       3600    IN      NS      a.root-servers.net.

;; ADDITIONAL SECTION:
d.root-servers.net.     3600    IN      A       128.8.10.90
j.root-servers.net.     3600    IN      A       192.58.128.30
l.root-servers.net.     3600    IN      A       199.7.83.42
c.root-servers.net.     3600    IN      A       192.33.4.12
g.root-servers.net.     3600    IN      A       192.112.36.4
e.root-servers.net.     3600    IN      A       192.203.230.10
m.root-servers.net.     3600    IN      A       202.12.27.33
f.root-servers.net.     3600    IN      A       192.5.5.241
h.root-servers.net.     3600    IN      A       128.63.2.53
k.root-servers.net.     3600    IN      A       193.0.14.129
b.root-servers.net.     3600    IN      A       192.228.79.201
i.root-servers.net.     3600    IN      A       192.36.148.17
a.root-servers.net.     3600    IN      A       198.41.0.4

;; Query time: 170 msec
;; SERVER: 82.151.65.66#53(82.151.65.66)
;; WHEN: Wed Aug 30 20:31:25 UTC 2017
;; MSG SIZE  rcvd: 658

$ digr gov.mr caa @ns.univ-nkc.mr

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse gov.mr caa @ns.univ-nkc.mr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gov.mr.                                IN      CAA

;; AUTHORITY SECTION:
gov.mr.                 604800  IN      NS      ns.univ-nkc.mr.
gov.mr.                 604800  IN      NS      dns.mauritania.mr.

;; ADDITIONAL SECTION:
ns.univ-nkc.mr.         86400   IN      A       82.151.64.1
dns.mauritania.mr.      604800  IN      A       82.151.65.66 

;; Query time: 187 msec
;; SERVER: 82.151.64.1#53(82.151.64.1)
;; WHEN: Wed Aug 30 20:31:58 UTC 2017
;; MSG SIZE  rcvd: 122

Edit:

The “broken for A/CAA/NS” public suffix list has probably changed but i don’t look closely at it.

All of the new public suffixes added since my first post are fine.

I didn't get any reply from PRODEB. We have quite a few certificates for this domain, so I think that's going to be a problem.

I'm happy to try something else, but I'm not sure what. :frowning:

I'm waiting to hear back from sr's DNS server vendor, whom I got a technical contact with yesterday; see

for more details.

No CA has ever issued a publicly-disclosed certificate for gov.mr so this might not seem like a priority for them. :frowning: Maybe they'll discover the problem when they eventually try to get their first certificate?

As for .mil.no, it looks like they're overwhelmingly (though not completely) DigiCert at the moment, so I've just asked DigiCert to get in touch if they have some channel.

1 Like

PRODEB has an ombudsman (ouvidoria) to help "citizens" interact with the state government. While I'm not a citizen, I just sent the ombudsman office a long note about this problem along with a plea for them to help it get to the right place... which feels like something an ombudsman might in principle be able to do.

I have a further last-ditch idea, which is to write with the same information directly to their subdomain registrar service, which is meant for local government entities in Bahia. However, if that's entirely clerical and doesn't have a tech support function, they might not have any idea how to deal with what's essentially a tech support request (from a non-customer!).

1 Like

Brief updates on everything but Mauritania:

I sent a bunch of technical details which my contact was supposedly going to forward to a responsible person inside the vendor's organization. I can request an update on this next week. (Per the other thread, the registrar is extremely aware of the problem but needs a fix from the vendor.)

DigiCert said they would try to get in touch with someone there.

I'll do this next week if I don't hear back from the ombudsman's office.

2 Likes

BTW, in your communication with the .sr support team, maybe you should suggest that they update the technical and administrative contacts in whois, since emailing those people didn't seem to get a reply.

Good idea, I’ve just pointed this out to them.

Update: No changes since the other day.

Current "broken for both CAA and NS" list:

mil.ac
res.aero
gov.as
com.bm
edu.bm
net.bm
org.bm
ar.com
hu.com
kr.com
no.com
qc.com
uy.com
tt.im
trentino-suedtirol.it
valdaosta.it
asso.km
per.la
gov.mg
geelvinck.museum
louvre.museum
xn--h1aegh.museum
biz.mv
i.ph
mil.sh
consulado.st
edu.st
embaixada.st
mil.st
net.st
store.st
test.tj
cc.id.us
cc.wa.us
mil.zw

(I didn't check A this time.)

I wrote to the ba.gov.br subdomain registration service today with the same information that I sent to the ombudsman's office last week.

No or few changes to the "broken CAA/NS" list. (To be specific, i filtered transient failures that changed, but didn't check if any "broken the other day" suffixes were transient failures today.)

Update:

I didn’t do a real scan, just spot checked the bad public suffixes.

gov.mr works!

$ dig gov.mr caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> gov.mr caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44599
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gov.mr.                                IN      CAA

;; AUTHORITY SECTION:
gov.mr.                 3600    IN      SOA     dns.mauritania.mr. hostmaster.rim.mr. 2016071722 900 600 86400 3600

;; Query time: 1321 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Sep 07 00:01:40 UTC 2017
;; MSG SIZE  rcvd: 101

https://unboundtest.com/m/CAA/gov.mr/EFRCE2TO

The other 3 public suffixes aren’t better.

ba.gov.br
mil.no
sr
1 Like

Well, I sent a follow-up just now to the sr vendor and also a follow-up to the registrar.

Update:

I still haven’t done another real scan, but i did another spot check.

gov.mr stopped working again.

https://unboundtest.com/m/CAA/gov.mr/F6PMH2AV

ba.gov.br
gov.mr
mil.no
sr

I just added some seemingly bad news on Infoblox at

1 Like

Update: No changes.

Some changes to the "broken for CAA and NS" list.

mil.ac
res.aero
gov.as
com.bm
edu.bm
net.bm
org.bm
ar.com
hu.com
kr.com
no.com
qc.com
uy.com
tt.im
trentino-suedtirol.it
valdaosta.it
blogspot.co.ke
asso.km
edu.km
gouv.km
gov.km
org.km
per.la
gov.mg
geelvinck.museum
louvre.museum
xn--h1aegh.museum
biz.mv
il.eu.org
i.ph
mil.sh
consulado.st
edu.st
embaixada.st
mil.st
net.st
store.st
test.tj
cc.id.us
cc.wa.us
mil.zw

(blogspot.co.ke has always had intermittent issues, probably improved in newer versions of Unbound, but usually it works after a couple retries.)

Maybe i'll stop scanning after Septemer 8 or 9 or so.

I got a reply from PRODEB saying that someone is now looking into it (for ba.gov.br).

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.